Channels

Services

DoS vulnerabilities in Asterisk closed

The Asterisk developers have fixed two denial-of-service (DoS) problems in their open source PBX system. The bugs in the invite and voicemail areas of the application were addressed by the release of Asterisk versions 1.8.11-cert4, 1.8.13.1, 10.5.2, and 10.5.2-digiumphones.

In one case, attackers are able to tie up the Asterisk server by using all available RTP (Real-time Transport Protocol) ports, which leads to a DoS situation. In the vulnerable version of the software, if Asterisk sends a re-invite to a call over the SIP protocol and an endpoint responds with a provisional reply but never sends the final response, the RTP ports for the call will not be released. If this is repeated often enough, the server will run out of RTP ports and cannot then receive any incoming calls.

The other bug is located in Asterisk's voicemail system. If two parties simultaneously manipulate the same voicemail account, this can cause a condition where memory is freed twice and the server crashes.